The world is abuzz with compliance talk stemming from the new European Union General Data Protection Regulation (GDPR). GDPR goes into effect on May 25, 2018 and has serious compliance implications for any organization collecting customer data. These days, that’s everyone.
Here is a quick rundown of GDPR and what you need to know.
How Has the Definition of Personal Data Changed?
There are six categories of personal information you need to be mindful of in our new GDPR world:
- Historical: An individual’s personal history.
- Financial: Financial accounts, ownership, transactions or credit information.
- Social: Personal or professional networks, family members, public life and communication.
- Tracking: Computer devices, contacts and location.
- External: Identifying information including ethnicity, sexuality, behavior, medical history, etc.
- Internal: Knowledge and beliefs, passwords and identifiers and personal preferences.
GDPR: The New Organizational Requirements
There are many factors to consider when diving into GDPR, among them are:
- Increased Geographic Scope: The new rules apply to any entity dealing with customers located in the European Union. It no longer matters where your company is located.
- Higher Penalties: Non-compliance is expensive, with fines totaling up to 4% of annual global turnover or 20 Million Euros, whichever is greater.
- Required User Consent: Stronger consent requirements, and greater rights for individuals, mean significant planning for those collecting data.
Which New Rights Do Customers Have Under GDPR?
New customer rights are vast and include:
- Breach Notification: Timely notification of any data breach, now within 72 hours.
- Right to Access: Complete access to a copy of all collected data, free of charge.
- Right to be Forgotten: Ability to request erasure of all collected personal data.
- Data Portability: Ability to request data in a usable format to transmit to another provider.
- Privacy by Design: Expectation that providers will minimize data collection, retaining only what’s essential for task completion.
- Data Collection Officers: Standardization of record keeping, and the potential appointment of a Data Protection Representative.
What Is a DPA and Where Can You Get One?
If you are subject to GDPR, you will need to have an appropriate Data Processing Agreement (DPA) in place with some third parties you share data with, like Absorb. You may want to send completed DPAs to email@example.com if your organization is:
Established in Europe and conducts business in Europe.
Download the DPA (EU)
Established out of Europe and conducts business in Europe.
Download the DPA (Non-EU)
Want more detail about GDPR?
Have questions? Contact your Customer Success Manager or email us at firstname.lastname@example.org.